In the event of an IT security incident not only technical tasks must be performed. Non-technical tasks must also be handled. These include, among other things, complying with and communicating reporting obligations. This article is intended to provide a deeper insight into the important topic of reporting obligations in the event of an IT security incident.
In addition to the DSGVO, which applies throughout Europe, there is also the IT-Sig .
The IT-Sig is an article law and changes existing laws, such as the BSIG, the TKG, the TMG or the AtomG.
Basically, there are three questions for the reporting obligation, which will be clarified below.
What must be reported?
When it comes to the question of what must be reported, a rough distinction can be made between two types of incidents. Ordinary and Major Incidents.
Ordinary incidents are incidents that are either caused by minor technical failures or are classified as so harmless, that companies and data are not affected. Technical failure can be, for example, a harmless hardware failure that does not affect any safety-critical components. Harmless attacks include general spam or phishing with no discernible targeted motivation, or malware detected by security tools that has been removed.
Significant incidents, on the other hand, are subject to mandatory reporting and can have a serious impact on companies and their IT systems. Significant incidents include malware that is previously unknown and cannot be traced for what purpose and what impact it may have on the infrastructure. Likewise, targeted phsihing attacks are considered to be a significant disruption. These can be tailored and part of a larger attack on the company. We look at the different types of phishing in our article (Digital Threats: Phishing). In addition, the exploitation of previously unknown security vulnerabilities known as zero days (see Exchange article) may be reportable.
When must an incident be reported?
If a significant incidents occurs, it must be reported immediately. All information available up to the time of the incidents must be submitted to the BSI, including:
– Information on the type of incidents and type of systems affected.
– Details of the cause or initial assumptions
– Contact persons
To ensure that nothing falls by the wayside during this usually hectic phase, the BSI provides a template for correct reporting. If it is not possible to answer all the questions about the fault at the time of the report, the report must be marked as an initial report. The rule here is speed before completeness. Subsequent reports can then be made and as soon as all the required information is available, a final report can be made. The final report is made after the incident has been completely remedied and concludes the reporting obligation of the affected party to the BSI.
Who must report an incident?
Companies in the seven CRITIS sectors:
– information technology,
– Water and Food,
– finance and insurance,
– transport and traffic
Telecommunications companies must also submit a report to the Federal Network Agency.